High-impact federal systems are vulnerable and under constant assault

By Zach Noble

Jun 21, 2016

Federal agencies could do more to secure high-impact systems, starting with fully implementing their own comprehensive information security programs, the Government Accountability Office said in a report released June 21.

The systems GAO surveyed are "those that hold sensitive information, the loss of which could cause individuals, the government or the nation catastrophic harm," the report states.

GAO said the 24 agencies governed by the Chief Financial Officers Act have a total of 912 high-impact systems -- almost 10 percent of their systems.

The high-impact incidents are part of a broader trend: a 1,303 percent increase in federal information security incidents from 2006 to 2015.

The 18 agencies reported a wide variety of attack vectors, but the old threat -- risky clicks via web- and email-based phishing attempts -- led to most breaches.

The agencies said nation-state actors are among the most serious cyber adversaries testing their high-impact systems.

GAO took a deeper look at four agencies: NASA, the Office of Personnel Management, the Department of Veterans Affairs and the Nuclear Regulatory Commission.

In that deep dive into two high-impact systems at each of the four agencies, GAO found that authorization (or making sure users have the fewest privileges needed to get their jobs done) and boundary protection were weak in every system.

In some cases, patches weren't kept up-to-date or training programs were lacking.

GAO determined that more thorough implementation of existing information security plans would help better secure agencies' systems. The report urges the Office of Management and Budget to issue its revised Circular A-130 to provide agencies with solid security guidance.

GAO also made broad recommendations for NASA, OPM, the VA and NRC, and issued limited-release technical recommendations.

NASA, the VA and NRC concurred with GAO’s recommendations, but OPM took issue with some aspects of the report in its reply comments.

OPM Associate CIO David Vargas said one system under scrutiny belonged to a contractor, and, therefore, OPM didn't have direct responsibility for software patches and training. He also said GAO did not supply the information OPM requested so that the agency could confirm the watchdog's findings. GAO said the information in question had initially been supplied by OPM.

But the procedural quibbles were not the main thrust of GAO's critique.

"Without comprehensive security control assessments, OPM is at increased risk that it may not detect vulnerabilities in its systems," GAO warned.

The Senate Homeland Security and Governmental Affairs Committee publicized the report as a cause for continued congressional oversight.

"I remain concerned that federal agencies are not fulfilling their responsibilities under the law to secure federal information systems," Chairman Ron Johnson (R-Wis.) said in a statement.

"GAO's report details key improvements that must be immediately implemented by the four agencies covered in this report, including OPM," Sen. Susan Collins (R-Maine) said. "The work done by GAO helps to ensure that all our federal networks and databases are properly protected and secured."

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.